This is a continuation of viewtopic.php?f=624&t=600027 which wasn't intended to be taken over by one extension in a Joomla! general support forum.

I've today released the first stable version (1.0.4) of the JMapMyLDAP extensions. The extension was created to map LDAP groups to Joomla! 1.6 and 1.7 groups; though I hope in the future it will cover a wide range of LDAP integration features. The intended audience is mainly Intranet sites that use a LDAP server such as Active Directory to centrally authenticate users. It is a non-commercial GNU GPL extension currently consisting of a couple of plug-ins and a few libraries.

I would like to thank everyone that has provided me with suggestions and feedback during the alpha and beta stages. This project has taken me a couple of months just to get to this stage, though it is my first Joomla! extension.

Like the last thread, I would like to use this thread as a place for people to ask questions or feedback.

Firstly thanks for a great J1.6/1.7 plugin. I am using successfully using OpenLdap server and following your clear install guide I was easliy able to user Ldap Authorization/sync and group mapping working.

One question, for furture releases will it be possible for the the joomla User registration to create Ldap users?

This is one of my future aims of the project. Version 2.0 will introduce a separated LDAP plugin type for adding/removing features (such as group mapping, profiles, and potentially new users). This means after the initial 2.0 release, it should be easier to add features like creating new users back to the LDAP directory. As for a timescale; I'm hoping to release an alpha version in the next 2-3 weeks depending on the amount of other work I currently have.

This is one of my future aims of the project. Version 2.0 will introduce a separated LDAP plugin type for adding/removing features (such as group mapping, profiles, and potentially new users). This means after the initial 2.0 release, it should be easier to add features like creating new users back to the LDAP directory. As for a timescale; I'm hoping to release an alpha version in the next 2-3 weeks depending on the amount of other work I currently have.

@umbobabo - This sounds like single sign on? If so then yes. HTTP SSO is the most common way of achieving this and is currently the only SSO plugin in my set of extensions. Depending on your web server depends on the authentication protocol you use (i.e. kerberos or NTLM). After it is setup you will be able to:1) Log into your Windows based workstation using an AD user account2) Open up your Joomla! website3) SSO automatically logs in your Joomla website using the same credentials as you used in step 1

Hope that answers your question.

--

On a project update: I haven't been around the last ~2 weeks and therefore, some things are behind schedule. Also I have a backlog of emails, so if you have emailed me, I will try to reply in the next coming days.

@ShaunSounds very good, i will try as soon as possibile.I have on Apache webserver on a window 2003 server machine.I already get work LDAP plugin with AD but the Joomla login seems to be required, simple LDAP read user from AD instead MySQL (with users bridge).

Firstly thanks for a great J1.6/1.7 plugin. I am using successfully using OpenLdap server and following your clear install guide I was easliy able to user Ldap Authorization/sync and group mapping working.

One question, for furture releases will it be possible for the the joomla User registration to create Ldap users?

RegardsSteve

If this is in fact added, I believe that this extension would be a dream come true.

I think it would also be hugely useful if it could alternatively be plugged into Community Builder registration (to directly create Active Directory users).

Using AD to centrally manage users is of course amazing...but never before this was I able to find a Joomla project that actually aimed to allow for complete user data synchronization and Joomla-based AD registration.

Did I miss a precursor to this project that worked for 1.5 (and did I spend unnecessary time writing my own sync code)? In any event I am very excited for this extension now that I am moving my site to 1.7...

EDIT: I think JAuthTools (which seems like the closest thing for Joomla/LDAP syncing 1.5) never allowed for such registration features or "two-way" syncing of users, but maybe I just missed that. Since JAuthTools itself is apparently not available for 1.7 though, I guess that isn't relevant anyway. As far as I can tell then, your extension must be even more critically needed!

I've replied to your email; your search option is certainly not correct in the second screenshot.

Filters must be used in the User DN/Filter with search on (sAMAccountName=[username]). Otherwise if search is off then User DN/Filter needs to be a DN (i.e. cn=[username],ou=[users],o=company OR additional with AD you could use DOMAIN\[username]).

@mk14This is the aim of the project. Firstly coding the mini framework, then at a later date, releasing extension specific plug-ins. Other extension specific plug-ins like JomSocial have also be mentioned. I'm a little tied up with University stuff atm; however should have time this weekend to near a version 2.0 alpha.

I'm hoping to have a final version 2 around the release of J! 2.5 LTS in January.

I keep getting the error that the user, which whom I am trying to log in with, is either not known or the password is incorrect. I am absolutely sure the creds are OK. I have tried almost every possible combination of config options, but all with the same result.I have searched for a log file of some kind to find out what really happens, but no luck.Can anyone give me a hint?

I have a joomla 1.7.1 intranet in a linux suse server, apache 2, php 5.In my intranet there are 2 windows 2003 server.

I set successfully "authentication plugin", so I can login in my intranet with my windows credential.That works fine: new user was created with his name and email but no group associated, only "registered"

My configuration is like the example.In "Mapping list" I have:CN=AMMINISTRAZIONE:10

"AMMINISTRAZIONE" is a group.

Users--->Domain Users--->PROVA--->AMMINISTRAZIONE

How can I understand if my windows group is a CN or a OU?

Can you help me?Thank in advance

Nicola

Last edited by barnic on Thu Oct 20, 2011 6:46 am, edited 1 time in total.

Got it working thanks to your e-mails, but SSO does not work. I've set up a PHPInfo.PHP file, but it's not showing any usernames in the _Server array. I know SSO works on our IIS systems (but I did not configure those).

@jborgmanThe log file should be in a PHP file called error.php in <joomla directory>/logs/error.php (this is the default location of the log directory). If your log directory hasn't been setup correctly then enable Joomla system debugging mode in the global configuration.

@barnicGroups in AD are normally referred to by common name (CN), so your group mapping does indeed look correct - can you post your Lookup Type, Lookup Attribute and Lookup Member?

@lgwapnitskyI can only really help after you get the username into one of the $_SERVER keys. SSO is only limited to HTTP at the moment. If you are using IIS, then you need to turn off anonymous access and tick integrated windows authentication.

@lgwapnitskyI can only really help after you get the username into one of the $_SERVER keys. SSO is only limited to HTTP at the moment. If you are using IIS, then you need to turn off anonymous access and tick integrated windows authentication.

I only mentioned IIS as we have other servers where SSO is not an issue.

I'm currently on Debian Squeeze with Apache. I'm still trying to determine how to populate the proper $_SERVER key. (that's where I"m stuck)

@barnicHmm, that looks all correct. Are you using the "Authentication - JMapMyLDAP" plug-in and disabled "Authentication - LDAP"?

Check the log file /logs/error.php for any potential errors - though the user plugin isn't silent and should always tell you if an error occurs.

Can you test enabling "Sync Name" or "Sync Email", then changing a single LDAP user's name or email in Joomla's user manager then trying to re-login again. Does the name change back? This will test if the user plugin is even being called.

ShMaunder wrote:@barnic@lgwapnitsky Ah i see. I normally use this guide http://acksyn.org/diary/?p=460 to configure my apache server with AD to achieve HTTP authentication.

I'll give that a shot, but that should hopefully populate the fields I need?

Thanks

Yes, once setup, it will populate the $_SERVER['remote_user'] field. Towards the bottom of the guide, it shows how your browser should be setup if you want to automatically login using your Windows workstation AD credentials.

I would highly recommend using this guide on a non-live server for the first time. It took me about half an hour to get working the first time.

ShMaunder wrote:@barnic@lgwapnitsky Ah i see. I normally use this guide http://acksyn.org/diary/?p=460 to configure my apache server with AD to achieve HTTP authentication.

I'll give that a shot, but that should hopefully populate the fields I need?

Thanks

Yes, once setup, it will populate the $_SERVER['remote_user'] field. Towards the bottom of the guide, it shows how your browser should be setup if you want to automatically login using your Windows workstation AD credentials.

I would highly recommend using this guide on a non-live server for the first time. It took me about half an hour to get working the first time.

GRRR...on my test server, fully configured and nothing showing up in the $_SERVER fields. IE is already configured for my other servers, so that wasn't necessary to run. Maybe something in the .htaccess file? paths are all correct and all files exist...

ShMaunder wrote:So it did work before, then it stopped? Take a backup of your current list, then delete the entire contents of the mapping list, put a single entry back and see if it works?

I'm not sure what is really going on here.

I'm going crazy!

This is my last Mapping List:CN=TITOLARI:14CN=AMMINISTRAZIONE:10,30CN=PERSONALE:11,30CN=ESTERO:12,30CN=TECNICO:13,30CN=AREZZO:20,29,30CN=ITALIA:20,29,30CN=PROG.PRODUZIONE:19,29,30CN=REPPREPTUBO:27,17CN=REPPREPLASTRA:26,17CN=REPCHIUSURE:28,17CN=MANUTENZIONE:25,17CN=MEC CAD:21,18CN=MEC OFF:24,18CN=MEC PROD:22,18CN=MEC TECNICO:23,18

I've just tried with user "lorella": it works, not 100% but it works (pheraps it's normal...."CN=MEC PROD:22,18" overwrite "CN=AMMINISTRAZIONE:10,30" ? ? ? )Then, logout and login with user "tiziana": it doesn't work.So, another login with "claudio": it doesn't workAnother one, "nicola": it works 100%

@lgwapnitskyI've only ever implemented apache AD HTTP authentication a couple of times, so I've not had much experience with setup problems. Did you try some other browser other than IE to check if basic authentication is working at all?

@barnicNone of those things would affect your problem. Overrides don't happen neither. The plugin will choose as many of the groups as it matches (i.e. not limited to 1). This could be a bug, though I'm not sure why its occurring.

I'm going to ask you to debug the code to find out if the plugin is picking up any LDAP groups for a user. Open <joomla>/libraries/shmanic/jmapmyldap.php browse down to line 477 and insert the echo out and die line like:

@lgwapnitskyI've only ever implemented apache AD HTTP authentication a couple of times, so I've not had much experience with setup problems. Did you try some other browser other than IE to check if basic authentication is working at all?

Shaun-

All 3 browsers on my system are having the same issue - IE, FF, Chrome. I may have to abandon the SSO portion. But otherwise, this works great.